Transcription
Application NoteConfiguration Guide for ShoreTel and Ingate29 August 2008Config Guide for ShoreTel and Ingate
Table of Contents1INTRODUCTION. 12SHORETEL CONFIGURATION . 22.1 OVERVIEW . 22.1.1Version Support . 22.1.2ShoreTel Unsupported Features . 22.2 SHORETEL CONFIGURATION . 22.2.1Call Control Settings . 32.2.2Sites Settings . 52.2.3Switch Settings - Allocating Ports . 62.2.4System Settings – Trunk Groups . 72.2.5System Settings – Individual Trunks . 113INGATE CONFIGURATION . 133.1 ABOUT . 133.1.1Startup Tool . 133.1.2Web Admin . 133.2 CONNECTING THE INGATE FIREWALL/SIPARATOR . 143.3 USING THE STARTUP TOOL . 163.3.1Configure the Unit for the First Time . 163.3.2Change or Update Configuration . 193.3.3Network Topology. 223.3.4IP-PBX. 333.3.5ITSP . 343.3.6Upload Configuration . 374TROUBLESHOOTING . 394.1 STARTUP TOOL TROUBLESHOOTING . 394.1.1Status Bar . 394.1.2Configure Unit for the First Time . 394.1.3Change or Update Configuration . 404.1.4Network Topology. 414.1.5IP-PBX. 414.1.6ITSP . 424.1.7Apply Configuration . 424.2 INGATE WEB GUI CONFIG . 434.2.1Network – Network and Computers . 434.2.2Basic Configuration – SIParator Type (SIParator Only) . 434.2.3SIP Service – Basic . 444.2.4SIP Service – Interoperability. 444.2.5SIP Traffic – Filtering . 454.2.6SIP Traffic – User Database. 454.2.7SIP Traffic – Routing . 454.2.8SIP Traffic – Dial Plan . 464.3 USING THE INGATE FOR TROUBLESHOOTING . 474.3.1Troubleshooting Outbound Calls. 474.3.2Troubleshooting Inbound Calls . 49Tested versions:Revision History:Revision1Ingate Firewall/SIParator -Version 4.6.2Ingate Startup Tool – Version 2.4.0Date2008-08-29AuthorScott BeerConfig Guide for ShoreTel and IngateComments1st Release
1 IntroductionThis document provides details for connecting the ShoreTel system through the IngateSIParator / Firewall to the ITSP for SIP Trunking to enable audio communications.The document focuses on the network architecture needed to set up these systems tointeroperate.ShoreTel and Ingate have teamed up to build a solid security focused solution, ShoreTelbeing the IP PBX which sits on the LAN and connects to the Ingate SIParator / Firewall.Providing a solution to allow customers the ability to connect to SIP Trunks offered bydifferent ITSPs in a secure manner is important. The Ingate then is connected to notonly the LAN but also the WAN, providing the typical firewall security abilities but alsointelligent SIP routing and such SIP features as:RegistrationDigest AuthenticationDial Plan ModificationBack to Back User Agent (Terminates SIP messaging on both LAN and WANside)Transfer conversion of SIP REFER to SIP reINVITE messaging (critical)Quick configuration templates for each of the certified ITSPsIngate has two products for this solution, the Ingate Firewall and Ingate SIParator.From a SIP functionality point of view they are basically the same. The Ingate Firewallalso provides normal data firewalling functionality and is recommended if the enterprisewants to replace the existing firewall. The Ingate SIParator is the solution for those whowant the keep an existing firewall when adopting SIP. In this case the Ingate SIParatorwill co-exist in parallel with the normal data firewall. The routing of SIP traffic to theIngate SIParator / Firewall can be accomplished in many ways and each will be discussedin this document.Config Guide for ShoreTel and IngatePage 1
2 SHORETEL CONFIGURATIONThe configuration information below shows examples for configuring both the ShoreTel,Ingate and ITSP. Even though configuration requirements can vary from setup to setup,the information provided in these steps, along with the Planning and Installation Guideand documentation provided by Ingate and the ITSP, should prove to be sufficient.However every design can vary and some may require more planning then others.2.1 OVERVIEW2.1.1 Version SupportProducts are certified via the Technology Partner Certification Process for the ShoreTelsystem. Table below contains the matrix of Ingate Firewall and Ingate SIParator versionsfirmware releases certified on the identified ShoreTel software releases.Ingate Firewall and Ingate SIParator version4.5.1 with4.5.24.6.0the patch igpatch-4-5-1shoretel-2appliedShoreTel 7.0 ShoreTel 7.5 4.6.14.6.2 2.1.2 ShoreTel Unsupported FeaturesAt the time of this writing, the following features are not supported, though support willbe added in an upcoming future release:Fax redirect not supported today via SIP Trunks (though direct Direct InwardDialing (DID) to fax endpoint is supported)Office Anywhere2.2 SHORETEL CONFIGURATIONThis section describes the ShoreTel system configuration to support SIP Trunking. Thesection is divided into general system settings and trunk configurations (both group andindividual) needed to support SIP Trunking.Note: ShoreTel basically just points its Individual SIP Trunks to the Ingate SIParator.The first settings to address within the ShoreTel system are the general system settings.These configurations include the Call Control, the Site and the Switch settings. If theseitems have already been configured on the system, skip this section and go on to the“ShoreTel System Settings – Trunk Groups” section below.Config Guide for ShoreTel and IngatePage 2
2.2.1 Call Control SettingsThe first settings to configure within ShoreWare Director are the Call Control Options.To configure these settings for the ShoreTel system, log into ShoreWare Director andselect “Administration” then “Call Control” followed by “Options”.Administration Call Control OptionsThe “Call Control Options” screen will then appear.Call Control OptionsConfig Guide for ShoreTel and IngatePage 3
Within the “Call Control Options” screen, confirm that the appropriate settings are madefor the “Enable SIP Session Timer”, “Intra-Site Calls”, “Inter-Site Calls” and “AlwaysUse Port 5004 for RTP” fields.The first step is to make sure that the “Enable SIP Session Timer” box is checked. Nextthe Session Interval Timer needs to be set. The recommended setting for “SessionInterval” is 1800 seconds. The last item to select is the appropriate refresher (from thepull down menu) for the SIP Session Timer. The “Refresher” field will be set either to“Caller (UAC)” [User Agent Client] or to “Callee (UAS)” [User Agent Server]. If the“Refresher” field is set to “Caller (UAC)”, the Caller’s device will be in control of thesession timer refresh. If “Refresher” is set to “Callee (UAS)”, the device of the personcalled will control the session timer refresh.The next settings to verify are the “Intra-Site Calls” and the “Inter-Site Calls” settingsunder the” Voice Encoding and Quality of Service” prompt. For the Intra-Site Calls,verify that the desired audio bandwidth is selected for the CODEC for calls within thesystem. The settings should then be confirmed for the desired audio bandwidth CODECfor Inter-Site calls (calls between sites).Note: SIP uses both G.711 and G.729 CODECs. The CODEC setting will benegotiated to the highest CODEC supported (fax requires G.711 at minimum).Note: Unchecking the box for “Always Use Port 5004 for RTP” is required forimplementing SIP on the ShoreTel system. For SIP configurations, Dynamic UserDatagram Protocol (UDP) must be used for RTP Traffic. If the box is unchecked,MGCP will no longer use UDP port 5004; MGCP and SIP traffic will use dynamic UDPports. Once this parameter is unchecked, make sure that “everything” (IP Phones,ShoreGear Switches, ShoreWare Director, Distributed Voice Services / Remote Servers,Conference Bridges and Contact Centers) is “fully” rebooted – this is a “one time only”item. By not performing a full system reboot, one way audio will probably occur duringinitial testing.Config Guide for ShoreTel and IngatePage 4
2.2.2 Sites SettingsThe next settings to address are the administration of sites. These settings are modifiedunder the ShoreWare Director by selecting “Administration”, then “Sites”.Administration SiteThis selection brings up the “Sites” screen. Within the “Sites” screen, select the name ofthe site to configure. The “Edit Site” screen will then appear. The only change requiredto the “Edit Site” screen is to the “Admission Control Bandwidth” field.Note: Bandwidth of 1024 is just an example. Please see the Planning and InstallationGuide for additional information on setting Admission Control Bandwidth.Sites Edit screen – Admission Control BandwidthThe Admission Control Bandwidth defines the bandwidth available to and from the site.This is important as SIP devices will be counted against the site bandwidth. Bandwidthneeds to be set appropriately based on site setup and configuration with the ITSP SIPTrunking. See the ShoreTel Planning and Installation Guide for more information.Config Guide for ShoreTel and IngatePage 5
2.2.3 Switch Settings - Allocating PortsThe final general settings to input are the ShoreGear switch settings. These changes aremodified by selecting “Administration”, then “Switches” in ShoreWare Director.Administration SwitchesThis action brings up the “Switches” screen. From the “Switches” screen simply selectthe name of the switch to configure. The “Edit ShoreGear Switch” screen will bedisplayed. Within the “Edit ShoreGear Switch” screen, select the desired number ofSIP Trunks from the ports available.ShoreGear Switch SettingsEach port designated as a SIP Trunk enables the support for 5 individual trunks.Config Guide for ShoreTel and IngatePage 6
2.2.4 System Settings – Trunk GroupsShoreTel Trunk Groups support both Dynamic and Static SIP endpoint IndividualTrunks.Note: A ShoreGear switch can only support one Trunk Group with Dynamic IPaddressing.In trunk planning, the following need to be considered.1. Are the SIP devices using DHCP or Static IP?2. Are the SIP devices endpoints (like Attached Technology Attachments (ATAs),Conference Phone or WiFi handset) or non-endpoint devices like an ITSP?If the SIP Trunk Groups have already been configured on the system, skip down to the“ShoreTel System Settings - Individual Trunks” section. The settings for Trunk Groupsare changed by selecting “Administration”, then “Trunks” followed by “Trunk Groups”within ShoreWare Director.Administration Trunk GroupsThis selection brings up the “Trunk Groups” screen.Trunk Groups SettingsFrom the pull down menus on the “Trunk Groups” screen, select the site desired andselect the “SIP” trunk type to configure and click on the “Go” link from “Add newtrunk group at site:”. The “Edit SIP Trunk Group” screen will appear.Config Guide for ShoreTel and IngatePage 7
SIP Trunk Group SettingsFor the Ingate SIP Trunking, the trunks need to be configured as inter-site trunks (trunksbetween sites). The trunks will also be configured as static.The next step within the “Edit SIP Trunks Group” screen is to input the name for thetrunk group. In the example in Figure 9, the name “SIP” has been created. The next stepis to verify the setting of the “Teleworker” check box. The “Teleworker” check boxneeds to be checked since the trunk groups have been configured as inter-site. Once thisbox is checked, it will count against the site bandwidth.The “Enable Digest Authentication” field is not required when connecting to an Ingatebox.The “Enable SIP Info for G.711 DTMF Signaling” box should not be checked.Enabling SIP info is currently only used with tie trunks between ShoreTel systems.The next item to change in the “Edit SIP Trunks Group” screen is to make theappropriate settings for the “Inbound:” fields.Config Guide for ShoreTel and IngatePage 8
InboundWithin the “Inbound:” settings ensure the “Number of Digits from CO” is set to XXITSP provided and ensure the “DNIS” or “DID” box is checked , along with theExtension parameter(see Planning and Installation Guide for further information onconfiguration).Tandem Trunking is not required unless you plan on routing incoming SIP trunk callsout other ShoreTel trunks.Note: This section is configured no different then any normal Trunk GroupConfig Guide for ShoreTel and IngatePage 9
Trunk ServicesOn the “Trunk Services:” screen, make sure the appropriate services are checked orunchecked based on what the ITSP supports and what features are needed from thisTrunk Group.The last checkbox determines if the call is sent out as unknown or with callerinformation (Caller ID). User DID etc. will impact how information is passed out to theSIP Trunk group.After these settings are made to the “Edit SIP Trunk Group” screen, press the “Save”button to input the changes.This completes the settings needed to set up the trunk groups on the ShoreTel system.Config Guide for ShoreTel and IngatePage 10
2.2.5 System Settings – Individual TrunksThis section covers the configuration of the individual trunks. Select “Administration”,then “Trunks” followed by “Individual Trunks” to configure the individual trunks.Individual TrunksThe “Trunks by Group” screen that is used to change the individual trunks settings thenappears.Trunks by GroupSelect the site for the new individual trunk(s) to be added and select the appropriatetrunk group from the pull down menu in the “Add new trunk at site” area. In thisexample, the site is “Headquarters” and the trunk group is “SIP”. Click on the ”Go”button to bring up the “Edit Trunk” screen.Edit Trunks Screen for Individual TrunksConfig Guide for ShoreTel and IngatePage 11
From the individual trunks “Edit Trunk” screen, input a name for the individual trunks,select the appropriate switch, select the SIP Trunk type and input the number of trunks.When selecting a name, the recommendation is to name the individual trunks the same asthe name of the trunk group so that the trunk type can easily be tracked. Select theswitch upon which the individual trunk will be created. For the ITSP Trunk, select “UseIP Address” button and input an IP address of the Ingate SIParator product. The laststep is to select the number of individual trunks desired (each one supports “one” audiopath – example if 5 is input, then 5 audio paths can be up at one time). Once thesechanges are complete, press the “Save” button to input the changes.Note: Individual SIP Trunks cannot span networks. SIP Trunks can only terminate onthe switch selected. There is no failover to another switch. For redundancy, two trunkgroups will be needed with each pointing to another Ingate SIParator – just the same asif PRI were being used.After setting up the trunk groups and individual trunks, refer to the ShoreTel ProductInstallation Guide to make the appropriate changes for the User Group settings. Thiscompletes the settings for the ShoreTel system side.Config Guide for ShoreTel and IngatePage 12
3 INGATE CONFIGURATION3.1 ABOUTIngate products are compatible with communications equipment from other vendors andservice providers who support the SIP Protocol. The Ingate products are a securitydevice designed to sit on the Enterprise network edge, an ICSA Labs Certified securityproduct, focused on SIP communications security and network security for theEnterprise.Ingate products are designed to solve the issues related to SIP traversing the NAT(Network Address Translation) which is a part of all enterprise class firewalls. The NATtranslates between the public IP address(es) of the enterprise, and the private IPaddresses which are only known inside the LAN. These private IP addresses are createdto enable all devices to have an IP address, and also provide one of the security layers ofthe enterprise network. In addition, the Ingate products provide routing rules to assignto SIP traffic flow to ensure only allowed SIP traffic will pass.3.1.1 Startup ToolThe Ingate Startup Tool is an installation
Config Guide for ShoreTel and Ingate SIP Trunk Group Settings For the Ingate SIP Trunking, the trunks need to be configured as inter-site trunks (trunks between sites). The trunks will also be configured as static. The next step within the “Edit SIP Trunks
